#DESC ddclient - Update dynamic IP address at DynDNS.org
#
# Author: Greg Norris <haphazard@kc.rr.com>
# X-Debian-Packages: ddclient
#

#################################
#
# Rules for the ddclient_t domain.
#
daemon_domain(ddclient);
type ddclient_etc_t, file_type, sysadmfile;
type ddclient_var_t, file_type, sysadmfile;
log_domain(ddclient)
var_lib_domain(ddclient)

base_file_read_access(ddclient_t)
can_exec(ddclient_t, { shell_exec_t bin_t })

# ddclient can be launched by pppd
ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)')

# misc. requirements
allow ddclient_t self:fifo_file rw_file_perms;
allow ddclient_t self:socket create_socket_perms;
allow ddclient_t etc_t:file { getattr read };
allow ddclient_t etc_runtime_t:file r_file_perms;
allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
allow ddclient_t urandom_device_t:chr_file read;
general_proc_read_access(ddclient_t)
allow ddclient_t sysctl_net_t:dir search;

# network-related goodies
can_network_client(ddclient_t)
allow ddclient_t port_type:tcp_socket name_connect;
allow ddclient_t self:unix_dgram_socket create_socket_perms;
allow ddclient_t self:unix_stream_socket create_socket_perms;

# allow access to ddclient.conf and ddclient.cache
allow ddclient_t ddclient_etc_t:file r_file_perms;
file_type_auto_trans(ddclient_t, var_t, ddclient_var_t)
dontaudit ddclient_t devpts_t:dir search;
dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms;
dontaudit httpd_t selinux_config_t:dir search;